Security agency offers $3 million for iOS 9 jailbreak

In an initiative dubbed The Million Dollar iOS 9 Bug Bounty, Zerodium CEO Chaouki Bekrar is offering upwards of $3 million to anyone or group of people who can come up with a way to jailbreak iOS 9.

Zerodium is specifically seeking an exclusive, browser or text message-based, “workable, remote and untethered jailbreak that will persist even after reboot.” The rules add that the exploit should be achievable without requiring any proactive action from users beyond visiting a webpage or reading a text message.

In a blogpost advertising the contest, Bekrar writes that because Apple has made tremendous strides strengthening iOS security over the years, finding effective iOS exploits is becoming increasingly more challenging. Calling iOS the most secure mobile OS on the planet, Bekrar adds that iOS currently has “the highest cost and complexity of vulnerability exploitation.”

The solution? Tempt security researchers with boatloads of cash.

“The Million Dollar iOS 9 Bug Bounty,” the blog post reads, “is tailored for experienced security researchers, reverse engineers, and jailbreak developers, and is an offer made by Zerodium to pay out a total of three million U.S. dollars in rewards for iOS exploits/jailbreaks.”

While the contest may sound a little far-fetched at first glance, rest assured that it’s anything but. Bekrar, in case you’re unfamiliar with his resume, is a well-known and highly skilled wheeler and dealer in the world of security exploits. In addition to heading up Zerodium, Bekrar also heads up Vupen Security, a French cybersecurity firm that specializes in unearthing zero-day exploits and selling them to law enforcement and intelligence agencies. Notably, the NSA is a known customer of Vupen Security.

Clearly a talented group, Vupen has taken home a first prize in Pwn2Own in four of the last five years. Back in March of 2014, for instance, Vupen took home $400,000 in prizes after disclosing zero-day exploits in Firefox, Adobe Reader, Google Chrome and IE 11. In short, Bekrar and co. take these types of exploits extremely seriously.

The rules and conditions that govern the iOS 9 bug bounty read as follows:

Eligible submissions must include a full chain of unknown, unpublished, and unreported vulnerabilities/exploits (aka zero-days) which are combined to bypass all iOS 9 exploit mitigations including: ASLR, sandboxes, rootless, code signing, and bootchain.

The exploit/jailbreak must lead to and allow a remote, privileged, and persistent installation of an arbitrary app (e.g. Cydia) on a fully updated iOS 9 device (see below).

The initial attack vector must be either:
– a web page targeting the mobile browser (Mobile Safari OR Google Chrome) in its default configuration; OR
– a web page targeting any application reachable through the browser; OR
– a text message and/or a multimedia file delivered through a SMS or MMS.

The whole exploitation/jailbreak process should be achievable remotely, reliably, silently, and without requiring any user interaction except visiting a web page or reading a SMS/MMS (attack vectors such as physical access, bluetooth, NFC, or baseband are not eligible for the Million Dollar iOS 9 Bug Bounty. ZERODIUM may, at its sole discretion, make a distinct offer to acquire such attack vectors.).

Partial or incomplete exploits/jailbreaks will not be eligible for the Million Dollar iOS 9 Bug Bounty. ZERODIUM may, at its sole discretion, make a distinct offer to acquire such partial exploits.

All submissions must be made exclusively to ZERODIUM and must include the fully functioning exploit and its source code (if any), and a detailed whitepaper describing all the zero-day vulnerabilities and techniques used in the jailbreak.

The contest is slated to end on October 31, 2015, or perhaps sooner if an exploit is discovered before then. Though truth be told, if a successful exploit is uncovered, we imagine Zerodium will do what it can to keep it under wraps.